Update SECURITY.md

Author: raphw

SECURITY.md

@@ -2,8 +2,134 @@
 
 ## Supported Versions
 
-Only the latest version is guaranteed to be secure. For this purpose, Byte Buddy maintains backwards compatibility. Please note the [readme of the project](https://github.com/raphw/byte-buddy/blob/master/README.md) for further information.
+| Version Range | Supported |
+|--------------|----------|
+| Latest       | Yes      |
+| Older        | No       |
+
+Security fixes are applied only to the latest released version. Users are strongly encouraged to upgrade.
+
+---
 
 ## Reporting a Vulnerability
 
-Please disclose responsibly by [contacting the maintainer](mailto:rafael.wth@gmail.com). After a fix is released, any vulnerability will be publicly disclosed and registered. As of today, no vulnerabilities are known to exists.
+Please report security vulnerabilities via GitHub Security Advisories.
+
+**Do not open public issues for security-related reports.**
+
+When reporting, include:
+- Affected versions
+- Detailed reproduction steps
+- Proof-of-concept (if available)
+- Impact assessment
+
+### Response Targets
+
+- Initial acknowledgment: within 48 hours  
+- Triage and assessment: within 3–5 days  
+
+### Fix Targets
+
+- Critical issues: < 7 days  
+- High severity: < 14 days  
+- Medium/Low: best effort  
+
+---
+
+## Severity Classification
+
+- **Critical**
+  - Arbitrary code execution through instrumentation
+  - Unsafe class loading leading to sandbox escape
+
+- **High**
+  - Privilege escalation via agent misuse
+  - Bypassing intended constraints in bytecode generation
+
+- **Medium**
+  - Denial of service via malformed bytecode
+  - Stability issues impacting runtime safety
+
+- **Low**
+  - Edge-case validation issues
+  - Non-exploitable incorrect behavior
+
+---
+
+## Disclosure Policy
+
+- Vulnerabilities are handled via private coordination
+- Fixes are developed and validated before disclosure
+- Public disclosure occurs after a fix is available
+
+Advisories will include:
+- Affected versions
+- Description of impact
+- Mitigation steps
+- Upgrade guidance
+
+---
+
+## Security Best Practices for Users
+
+- Restrict use of Java agents in production environments
+- Validate class loaders and transformation targets
+- Keep Byte Buddy updated to the latest version
+- Avoid exposing instrumentation capabilities to external users
+
+---
+
+## Dependencies
+
+Byte Buddy repackages ASM internally to avoid dependency conflicts.
+
+Users should still monitor:
+- JVM-level vulnerabilities
+- Build and runtime environments
+- Dependency scanning results in their own systems
+
+---
+
+# Threat Model
+
+## Overview
+
+Byte Buddy is safe to use as a regular library for class generation and extension when used within trusted code. The primary risks arise from features that allow modification of existing code or execution of injected logic.
+
+---
+
+## High-Risk Areas
+
+### Java Agents
+
+Java agents can transform or redefine classes at runtime and operate with the full privileges of the hosting JVM.
+
+**Risks**
+- Injection of arbitrary code into application classes  
+- Modification of security-sensitive logic  
+- Full process compromise if misused or exposed  
+
+**Guidance**
+- Do not allow untrusted agents  
+- Restrict agent attachment in production environments  
+
+---
+
+### Build Plugins
+
+Byte Buddy can be used in build tools to modify bytecode during compilation or packaging.
+
+**Risks**
+- Execution of malicious code during build  
+- Supply chain compromise via untrusted plugins or dependencies  
+
+**Guidance**
+- Only use trusted plugins and dependencies 
+- Verify build integrity and dependency sources  
+
+---
+
+## Summary
+
+- Regular library usage is considered safe under normal conditions  
+- The main security risks stem from **code injection capabilities**, especially via agents and build-time instrumentation